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C/^ ■ Abstract 

OO ' Linear Temporal Logic (LTL) is widely used for defining conditions on the execution 



paths of dynamic systems. In the case of dynamic systems that allow for nondeterministic 
evolutions, one has to specify, along with an LTL formula ip, which are the paths that are 
required to satisfy the formula. Two extreme cases are the universal interpretation A.^p, 
which requires that the formula be satisfied for all execution paths, and the existential 



C/3 , interpretation £.(p, which requires that the formula be satisfied for some execution path. 

^ ' When LTL is applied to the definition of goals in planning problems on nondeterministic 

domains, these two extreme cases are too restrictive. It is often impossible to develop plans 
that achieve the goal in all the nondeterministic evolutions of a system, and it is too weak 
to require that the goal is satisfied by some execution. 
\ In this paper we explore alternative interpretations of an LTL formula that are between 

CO ' these extreme cases. We define a new language that permits an arbitrary combination of 

I the A and £ quantifiers, thus allowing, for instance, to require that each finite execution 

Q^ ■ can be extended to an execution satisfying an LTL formula {A£.(p), or that there is some 

I finite execution whose extensions all satisfy an LTL formula {£A.(p). We show that only 

eight of these combinations of path quantifiers are relevant, corresponding to an alternation 
of the quantifiers of length one (A and £), two {A£ and £A), three {A£A and £A£), and 
infinity {{A£)'^ and (£14)"). We also present a planning algorithm for the new language 
that is based on an automata-theoretic approach, and study its complexity. 



1. Introduction 

In automated task planning (Fikes & Nilsson, 1971; Penberthy & Weld, 1992; Ghallab, Nau, 
&: Traverse, 2004), given a description of a dynamic domain and of the basic actions that can 
be performed on it, and given a goal that defines a success condition to be achieved, one has 
to find a suitable plan, that is, a description of the actions to be executed on the domain in 
order to achieve the goal. "Classical" planning concentrates on the so called "reachability" 
goals, that is, on goals that define a set of final desired states to be reached. Quite often 
practical applications require plans that deal with goals that are more general than sets of 
final states. Several planning approaches have been recently proposed, where temporal logic 
formulas are used as goal language, thus allowing for goals that define conditions on the 
whole plan execution paths, i.e., on the sequences of states resulting from the execution of 
plans (Bacchus &: Kabanza, 1998, 2000; Calvanese, de Giacomo, &: Vardi, 2002; Cerrito &: 
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Mayer, 1998; Dal Lago, Pistore, & Traverse, 2002; de Giacomo h Vardi, 1999; Kvarnstrom 
& Doherty, 2001; Pistore & Traverso, 2001). Most of these approaches use Linear Temporal 
Logic (LTL) (Emerson, 1990) as the goal language. LTL allows one to express reachability 
goals (e.g., ¥ q — reach g), maintainability goals (e.g., Gq — maintain g), as well as goals 
that combine reachability and maintainability requirements (e.g., FGg — reach a set of 
states where q can be maintained), and Boolean combinations of these goals. 

In planning in nondeterministic domains (Cimatti, Pistore, Roveri, & Traverso, 2003; 
Peot &; Smith, 1992; Warren, 1976), actions are allowed to have different outcomes, and it is 
not possible to know at planning time which of the different possible outcomes will actually 
take place. Nondeterminism in action outcome is necessary for modeling in a realistic way 
several practical domains, ranging from robotics to autonomous controllers to two-player 
games. ^ For instance, in a realistic robotic application one has to take into account that 
actions like "pick up object" might result in a failure (e.g., if the object slips out of the 
robot's hand). A consequence of nondeterminism is that the execution of a plan may lead to 
more than one possible execution path. Therefore, one has to distinguish whether a given 
goal has to be satisfied by all the possible execution paths (in this case we speak of "strong" 
planning), or only by some of the possible execution paths ("weak" planning). In the case 
of an LTL goal ip, strong planning corresponds to interpreting the formula in a universal 
way, as A.(p, while weak planning corresponds to interpreting it in an existential way, as 
S.(f. 

Weak and strong plans are two extreme ways of satisfying an LTL formula. In nonde- 
terministic planning domains, it might be impossible to achieve goals in a strong way: for 
instance, in the robotic application it might be impossible to fulfill a given task if objects 
keep slipping from the robot's hand. On the other hand, weak plans are too unreliable, 
since they achieve the goal only under overly optimistic assumptions on the outcomes of 
action executions. 

In the case of reachability goals, strong cyclic planning (Cimatti et al., 2003; Daniele, 
Traverso, & Vardi, 1999) has been shown to provide a viable compromise between weak and 
strong planning. Formally, a plan is strong cyclic if each possible partial execution of the 
plan can always be extended to an execution that reaches some goal state. Strong cyclic 
planning allows for plans that encode iterative trial-and-error strategies, like "pick up an 
object until succeed". The execution of such strategies may loop forever only in the case 
the action "pick up object" continuously fails, and a failure in achieving the goal for such 
an unfair execution is usually acceptable. Branching-time logics like CTL and CTL* allow 
for expressing goals that take into account nondeterminism. Indeed, Daniele et al. (1999) 
show how to encode strong cyclic reachability goals as CTL formulas. However, in CTL 
and CTL* path quantifiers are interleaved with temporal operators, making it difficult to 
extend the encoding of strong cyclic planning proposed by Daniele et al. (1999) to generic 
temporal goals. 

In this paper we define a new logic that allows for exploring the different degrees in which 
an LTL formula tp can be satisfied that exist between the strong goal A.ip and the weak goal 
£.(p. We consider logic formulas of the form a.ip, where ip is an LTL formula and a is a 
path quantifier that generalizes the A and £ quantifiers used for strong and weak planning. 

1. See the work of Ghallab ct al. (2004) for a deeper discussion on the fundamental role of nondeterminism 
in planning problems and in practical applications. 
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A path quantifier is a (finite or infinite) word on alphabet {^4, The path quantifier can 
be seen as the definition of a two-player game for the selection of the outcome of action 
execution. Player A (corresponding to symbol A) chooses the action outcomes in order to 
make goal (p fail, while player E (corresponding to symbol £) chooses the action outcomes 
in order to satisfy the goal ip. At each turn, the active player controls the outcome of action 
execution for a finite number of actions and then passes the control to the other player.^ 
We say that a plan satisfies the goal a.ip if the player E has a winning strategy, namely if, 
for all the possible moves of player A, player E is always able to build an execution path 
that satisfies the LTL formula ip. 

Different path quantifiers define different alternations in the turns of players A and E. 
For instance, with goal^l.i^ we require that the formula p> is satisfied independently of how 
the "hostile" player A chooses the outcomes of actions, that is, we ask for a strong plan. 
With goal S.if we require that the formula (p is satisfied for some action outcomes chosen 
by the "friendly" player E, that is, we ask for a weak plan. With goal AS. p we require that 
every plan execution led by player A can be extended by player E to a successful execution 
that satisfies the formula cp; in the case of a reachability goal, this corresponds to asking 
for a strong cyclic solution. With goal SA.ip we require that, after an initial set of actions 
controlled by player E, we have the guarantee that formula p will be satisfied independently 
of how player A will choose the outcome of the following actions. As a final example, with 
goal {A£)'^.p =A£A£A- • • .ip we require that formula ip is satisfied in all those executions 
where player E has the possibility of controlling the action outcome an infinite number of 
times. 

Path quantifiers can define arbitrary combinations of the turns of players A and E, and 
hence different degrees in satisfying an LTL goal. We show, however, that, rather surpris- 
ingly, only a finite number of alternatives exist between strong and weak planning: only 
eight "canonical" path quantifiers give rise to plans of different strength, and every other 
path quantifier is equivalent to a canonical one. The canonical path quantifiers correspond 
to the games of length one {A and £), two (A£ and £A), and three {ASA and £A£), and 
to the games defining an infinite alternation between players A and E {{A£)'^ and {£A)'^). 
We also show that, in the case of reachability goals p = F q, the canonical path quantifiers 
further collapse. Only three different degrees of solution are possible, corresponding to weak 
{£.Fq), strong (A.Fq), and strong cyclic {A£.Fq) planning. 

Finally, we present a planning algorithm for the new goal language and we study its 
complexity. The algorithm is based on an automata-theoretic approach (Emerson & Jutla, 
1988; Kupferman, Vardi, & Wolper, 2000): planning domains and goals are represented 
as suitable automata, and planning is reduced to the problem of checking whether a given 
automaton is nonempty. The proposed algorithm has a time complexity that is doubly 
exponential in the size of the goal formula. It is known that the planning problem is 
2EXPTIME-complete for goals of the form A- p (Pnueli Sz Rosner, 1990), and hence the 
complexity of our algorithm is optimal. 

The structure of the paper is as follows. In Section 2 we present some preliminaries 
on automata theory and on temporal logics. In Section 3 wc define planning domains and 
plans. In Section 4 we define A£-IjTL, our new logic of path quantifier, and study its basic 

2. If the path quantifier is a finite word, the player that has the last turn chooses the action outcome for 
the rest of the infinite execution. 
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properties. In Section 5 we present a planning algorithm for AS-LTL, while in Section 6 
we apply the new logic to the particular cases of reachability and maintainability goals. In 
Section 7 we make comparisons with related works and present some concluding remarks. 

2. Preliminaries 

This section introduces some preliminaries on automata theory and on temporal logics. 
2.1 Automata Theory 

Given a nonempty alphabet S, an infinite word on S is an infinite sequence ao,ai,a2, ■ ■ ■ of 
symbols from E. Finite state automata have been proposed as finite structures that accept 
sets of infinite words. In this paper, we are interested in tree automata, namely in finite 
state automata that recognize trees on alphabet S, rather than words. 

Definition 1 (tree) A (leafless) tree t is a subset of N* such that: 

• e G T is the root of the tree; 

• if X T then there is some i G N such that x ■ i G r; 

• if X ■ i & T, with X &W and i G N, then also x G r; 

• if X ■ (i+1) G T, with x G N* and z G N, then also x ■ i E t. 

The arity of x E t is the number of its children, namely arity{x) = |{i : x • z G r}|. Let 
P C N. Tree t is a P-tree if arity{x) G T> for each x t. A S-labelled tree is a pair {t,T), 
where t is a tree and T : r — >■ S. In the following, we will denote T,-labelled tree (r, T) as 
T, and let t = dom(T). 

Let T be a E-labelled tree. A path p of T is a (possibly infinite) sequence xq, . . . of nodes 
Xi G dom(T) such that Xk+i = Xk ■ ik+i- In the following, we denote with P*{t) the set of 
finite paths and with P'^{t) the set of infinite paths of T. Given a (finite or infinite) path p, 
we denote with T{p) the string T(xo) • T{x\) ■ ■ ■ , where xq, xi, . . . is the sequence of nodes 
of path p. Wc say that a finite (resp. infinite) path p' is a finite (resp. infinite) extension of 
the finite path p if the sequence of nodes of p is a prefix of the sequence of nodes of p' . 

A tree automaton is an automaton that accepts sets of trees. In this paper, we consider 
a particular family of tree automata, namely parity tree automata (Emerson & Jutla, 1991). 

Definition 2 (parity tree automata) A parity tree automaton with parity index k is a 
tuple A = (S, D, where: 

• S is the finite, nonempty alphabet; 

• T> C.N is a finite set of arities; 

• Q is the finite set of states; 

• go € Q is the initial state; 
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• S: is the transition function, where 6{q, a, d) G 2^ ; 

• f3 : Q ^ {0, . . . ,k} is the parity mapping. 

A tree automaton accepts a tree if there is an accepting run of the automaton on the tree. 
Intuitively, when a parity tree automaton is in state q and it is reading a d-ary node of the 
tree that is labeled by a, it nondeterministically chooses a d-tuple (gi, . . . , qd) in d{q, a, d) 
and then makes d copies of itself, one for each child node of the tree, with the state of the 
i-th copy updated to qi. A run of the parity tree automaton is accepting if, along every 
infinite path, the minimal priority that is visited infinitely often is an even number. 

Definitions (tree acceptance) The parity tree automaton A = (S, X", Q, go, 5, /3) ac- 
cepts the "E-labelled V-tree T if there exists an accepting run r for T, namely there exists a 
mapping r : t Q such that: 

• r{e) = go; 

• for each x £ t with arity(x) = d we have {r{x • 0), . . . r{x ■ (d— 1))) € (5(r(x), T(x), d); 

• along every infinite path xq, xi, . . . inT , the minimal integer h such that I3{r{xi)) = h 
for infinitely many nodes xi is even. 

The tree automaton A is nonempty if there exists some tree T that is accepted by A. 

Emerson and Jutla (1991) have shown that the emptiness of a parity tree automaton can 
be decided in a time that is exponential in the parity index and polynomial in the number 
of states. 

Theorem 1 The emptiness of a parity tree automaton with n states and index k can be 
determined in time n*^^^^ . 

2.2 Temporal Logics 

Formulas of Linear Temporal Logic (LTL) (Emerson, 1990) are built on top of a set Prop 
of atomic propositions using the standard Boolean operators, the unary temporal operator 
X (next), and the binary temporal operator U (until). In the following we assume to have 
a fixed set of atomic propositions Prop, and we define E = as the set of subsets of 

Prop. 

Definition 4 (LTL) LTL formulas ip on Prop are defined by the following grammar, where 
q G Prop: 

if ::= q\ ^ip |(/?A<^|X(/?|(/3U<^ 

We define the following auxiliary operators: F = T U <^ (eventually in the future (p) and 
Gip = -iF-199 (always in the future y?). LTL formulas are interpreted over infinite words 
on S. In the following, we write w |=ltl V whenever the infinite word w satisfies the LTL 

formula ip. 

Definition 5 (LTL semantics) Let w = aQ,ai, . . . be an infinite word on E and let (p be 

an LTL formula. We define w,i \=ltl with i €N, as follows: 
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• w,i \=LTL qiffq^ (yv, 

• w,i \=LTL ^if does not hold that w, i \=ltl 

• w, i \=LTL (p /\(p' iff 10,1 \=LTL ^ and w, i \=ltl ; 

• W,i \=LTL^<P iffw,i+l \=LTL <P; 

• w,i \=LTL ip'U (f' iff there is some j > i such that w, k \=ltl ^ for all i < k < j and 
wj \=LTL <p'- 

We say that w satisfies ip, written w \=ltl f, if ^,0 \=ltl f- 

CTL* (Emerson, 1990) is an example of "branching-time" logic. Path quantifiers A 
( "for all paths" ) and E ( "for some path" ) can prefix arbitrary combinations of linear time 
operators. 

Definition 6 (CTL*) CTL* formulas ip on Prop are defined by the following grammar, 
where q € Prop: 

tp .:= q \ ^tp \ ip Atp \ A(p iFiifi 
ip ::= tp \ ^(fi \ (f A (p {Ji-ip \ (pJJ (p 

CTL* formulas are interpreted over S-labelled trees. In the following, we write T |=ctl* 
whenever T satisfies the CTL* formula ip. 

Definition 7 (CTL* semantics) Let T be a T,-labelled tree and let ip be a CTL* formula. 
We define T,x \=ctl*'^j with x G t, as follows: 

• T,x \=cTL*q iffq^ T{x); 

• T,x \=CTL* iff ii does not hold that T, x \=ctl* '0/ 

• r , X \=CTL* V' A V'' iffT,x \=CTL* ip and T , x \=ctl* V''/ 

• T,x \=CTL* A (p iffT,p \=CTL* f holds for all infinite paths p = xq, xi, . . . with xq = x; 

• T,x \=CTL* iff T,p \=CTL* V holds for some infinite path p = xo,xi,... with 

Xq = X; 

where T,p \=ctl* ^^^^ P ^ P^iT); is defined as follows: 

• T,p\=cTL*ipiffP = xo,xi,... andT,xo \=cTL*ip; 

• T,p \=CTL* ~"P iff it does not hold that T,p \=ctl* 

• T,p \=CTL* ^ iffT,p \=CTL* ^ and T,p \=CTL* v'i 

• T,p \=CTL*^P iffT,p' \=cTL*^, where p' = xi,X2,... if p = xo,xi,X2, .; 

• T,p \=CTL* p' iff there is some j > such that T,pk \=CTL* 'P for all < k < j 
and T,pj \=ctl* ^' , where pi = Xi,Xi+i, ... if p = xo,xi, . . .. 
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Figure 1: A possible scenario in the blocks- world domain. 



We say that T satisfies the CTL* formula ip, written T \=ctl* V'; ifT^^ \=ctl* V'- 

The following theorem states that it is possible to build a tree automaton that accepts 
all the trees satisfying a CTL* formula. The tree automaton has a number of states that is 
doubly exponential and a parity index that is exponential in the length of the formula. A 
proof of this theorem has been given by Emerson and Jutla (1988). 

Theorem 2 Let ^ he a CTL* formula, and let P C N* he a finite set of arities. One can 
huild a parity tree automaton that accepts exactly the Ti-lahelled D-trees that satisfy xp. 

The automaton has 2^°"*" states and parity index 2*^(1'^'), where \tp\ is the length of 
formula ip. 

3. Planning Domains and Plans 

A (nondeterministic) planning domain (Cimatti et al., 2003) can be expressed in terms of a 

set of states, one of which is designated as the initial state, a set of actions, and a transition 
function describing how (the execution of) an action leads from one state to possibly many 
different states. 

Definition 8 (planning domain) A planning domain is a tuple D = (S, cto, A, R) where: 

• T, is the finite set of states; 

• ao eT, is the initial state; 

• A is the finite set of actions; 

• R : ^ X A ^ 2^ is the transition relation. 

We require that for each cr € S there is some a A and some a' £ T, such that a' € R{cr, a). 
We assume that states S are ordered, and we write R{a,a) = {ai,a2, ■ ■ ■ ,On) whenever 
R{a, a) = {(Ti, (72, ■ ■ ■ , CTn} and ai < (72 < • • • < cr„. 

Example 1 Consider a hlocks-world domain consisting of a set of hlocks, which are initially 
on a tahle, and which can he stacked on top of each other in order to build towers (see 
Figure 1). 

The states S of this domain are the possible configurations of the hlocks: in the case of 
three hlocks there are 13 states, corresponding to all the hlocks on the tahle (1 configuration), 
a 2-hlock tower and the remaining block on the tahle (6 configurations), and a 3-block tower 
(6 possible configurations). We assume that initially all blocks are on the table. 
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The actions in this domain are put-X _on-Y , put-X _on_table, and wait, where X and 
Y are two (different) blocks. Actions put _X_on_Y and put _X _on stable are possible only if 
there are no blocks on top of X (otherwise we could not pick up X). In addition, action 
put-X _on-Y requires that there are no blocks on top ofY (otherwise we could not put X 
on top ofY). 

We assume that the outcome of action put_X _on_Y is nondeterministic: indeed, trying 
to put a block on top of a tower may fail, in which case the tower is destroyed. Also action 
wait is nondeterministic: it is possible that the table is bumped and that all its towers are 
destroyed. 

A plan guides the evolution of a planning domain by issuing actions to be executed. 
In the case of nondeterministic domains, conditional plans (Cimatti et al., 2003; Pistore & 
Traverso, 2001) are required, that is, the next action issued by the plan may depend on 
the outcome of the previous actions. Here wc consider a very general definition of plans: a 
plan is a mapping from a sequence of states, representing the past history of the domain 
evolution, to an action to be executed. 

Definition 9 (plan) A plan is a partial function tt : S"*" ^ A such that: 

• if tt{w ■ a) = a, then a' G R{o; a) for some a' ; 

• if Tr{w ■ a) = a, then a' G R{(t, a) iff w ■ a ■ a' E dom(7r); 

• if w ■ a & dom(7r) with w ^ e, then w G dom(7r); 

• 7r((T) is defined iff cr = ao is the initial state of the domain. 

The conditions in the previous definition ensure that a plan defines an action to be executed 
for exactly the finite paths w G S"^ that can be reached executing the plan from the initial 
state of the domain. 

Example 2 A possible plan for the blocks-world domain of Example 1 is represented in Fig- 
ure 2. We remark the importance of having plans in which the action to be executed depends 

on the whole sequence of states corresponding to the past history of the evolution. Indeed, 
according to the plan if Figure 2, two different actions put-C -on_A and put _C -on -table are 
performed in the state with block B on top of A, depending on the past history. 

Since we consider nondeterministic planning domains, the execution of an action may 
lead to different outcomes. Therefore, the execution of a plan on a planning domain can be 
described as a (Sx^)-labelled tree. Component S of the label of the tree corresponds to 
a state in the planning domain, while component A describes the action to be executed in 
that state. 

Definition 10 (execution tree) The execution tree for domain D and plan tt is the 
(TiX A) -labelled tree T defined as follows: 

• T(e) = (c7o,ao) where ctq is the initial state of the domain and oq = 7r(c7o); 
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Figure 2: A plan for the blocks- world domain. 



• ifp = xo, . . . ,.T„ G P*(r) with T{p) = (o-o,ao)-(cri,ai) • • • {cFn,an), and ifR{an,an) = 
(ctq, . . . , cr'^_i), then for every < i < d the following conditions hold: x^-i & dom(T) 
and T{xn ■ i) = (cr^, a'^) with a[ = 7r(cro ■ ■ ■ ■ (Tn ■ c^i)- 

A planning problem consists of a planning domain and of a goal g that defines the set 
of desired behaviors. In the following, we assume that the goal g defines a set of execution 
trees, namely the execution trees that exhibit the behaviors described by the goal (we say 
that these execution trees satisfy the goal). 

Definition 11 (planning problem) A planning problem is a pair {D,g), where D is a 
planning domain and g is a goal. A solution to a planning problem {D,g) is a plan ir such 
that the execution tree for tt satisfies the goal g. 

4. A Logic of Path Quantifiers 

In this section we define a new logic that is based on LTL and that extends it with the 
possibility of defining conditions on the sets of paths that satisfy the LTL property. We 
start by motivating why such a logic is necessary for defining planning goals. 

Example 3 Consider the blocks-world domain introduced in the previous section. Intu- 
itively, the plan of Example 2 is a solution to the goal of building a tower consisting of 
blocks A, B, C and then of destroying it. This goal can be easily formulated as an LTL 
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formula: 

(fi = F {{C.on.B A B_on.A A A.on.table) A F {Constable A B_onJ,able A A.on.table)). 

Notice however that, due to the nondeterminism in the outcome of actions, this plan may 
fail to satisfy the goal. It is possible, for instance, that action put-C -OU-B fails and the 
tower is destroyed. In this case, the plan proceeds performing wait actions, and hence the 
tower is never finished. Formally, the plan is a solution to the goal which requires that there 
is some path in the execution structure that satisfies the LTL formula (pi . 

Clearly, there are better ways to achieve the goal of building a tower and then destroying 
it: if we fail building the tower, rather than giving up, we can restart building it and keep 
trying until we succeed. This strategy allows for achieving the goal in "most of the paths": 
only if we keep destroying the tower when we try to build it we will not achieve the goal. As 
we will see, the logic of path quantifiers that we are going to define will allow us to formalize 
what we mean by "most of the paths". 

Consider now the following LTL formula: 

(P2 = F G {{C.on.B A B_on.A A A_onJ,able). 

The formula requires building a tower and maintaining it. In this case we have two possible 
ways to fail to achieve the goal. We can fail to build the tower; or, once built, we can fail to 
maintain it (remember that a wait action may nondeterministically lead to a destruction of 
the tower). Similarly to the case of formula a planning goal that requires satisfying the 
formula 02 in all paths of the execution tree is unsatisfiable. On the other hand, a goal that 
requires satisfying it on some paths is very weak; our logic allows us to be more demanding 
on the paths that satisfy the formula. 

Finally, consider the following LTL formula: 

ip3 = GF {{C.on.B A B_on.A A A_onJ,able). 

It requires that the tower exists infinitely many time, i.e., if the tower gets destroyed, then 
we have to rebuild it. Intuitively, this goal admits plans that can achieve it more often, i.e., 
on "more paths", than Once again, a path logic is needed to give a formal meaning to 
"more paths". 

In order to be able to represent the planning goals discussed in the previous example, 
we consider logic formulas of the form a.(p^ where ip is an LTL formula and a is a path 
quantifier and defines a set of infinite paths on which the formula ip should be checked. Two 
extreme cases are the path quantifier A, which is used to denote that ip must hold on all the 
paths, and the path quantifier £, which is used to denote that (p> must hold on some paths. 
In general, a path quantifier is a (finite or infinite) word on alphabet {A, £} and defines an 
alternation in the selection of the two modalities corresponding to £ and A. For instance, 
by writing ^£'.1/7 we require that all finite paths have some infinite extension that satisfies 
ip, while by writing EA.^p we require that all the extensions of some finite path satisfy ip. 

The path quantifier can be seen as the definition of a two-player game for the selection of 
the paths that should satisfy the LTL formula. Player A (corresponding to A) tries to build 
a path that does not satisfy the LTL formula, while player E (corresponding to £) tries to 
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build the path so that the LTL formula holds. Different path quantifiers define different 
alternations in the turns of players A and E. The game starts from the path consisting only 
of the initial state, and, during their turns, players A and E extend the path by a finite 
number of nodes. In the case the path quantifier is a finite word, the player that moves last 
in the game extends the finite path built so far to an infinite path. The formula is satisfied 
if player E has a winning strategy, namely if, for all the possible moves of the player A, it 
is always able to build a path that satisfies the LTL formula. 

Example 4 Let us consider the three LTL formulas defined in Example 3, and let us see 

how the path quantifiers we just introduced can he applied. 

In the case of formula (pi, the plan presented in Example 2 satisfies requirement E.ipi: 
there is a path on which the tower is built and then destroyed. It also satisfies the "stronger" 
requirement £A.<pi that stresses the fact that, in this case, once the tower has been built and 
destroyed, we can safely give the control to player A. Formula ipi can be satisfied in a 
stronger way, however. Indeed, the plan that keeps trying to build the tower satisfies the 
requirement AS. If I, as well as the requirement ASA.(pi: player A cannot reach a state where 
the satisfaction of the goal is prevented. 

Let us now consider the formula ip2. In this case, we can find plans satisfying AS .(p2, 
but no plan can satisfy requirem^ent A£A.ip2 ■ Indeed, player A has a simple strategy to win, 
if he gets the control after we built the tower: bump the table. Similar considerations hold 
also for formula (ps. Also in this case, we can find plans for requirement AS. <P3, but not for 
requirement AS A. ip 3- In this case, however, plans exist also for requirement ASASAS ■ ■ ■ .(p^: 
if player E gets the control infinitely often, then it can rebuild the tower if needed. 

In the rest of the section we give a formal definition and study the basic properties of 
this logic of path quantifiers. 

4.1 Finite Games 

We start considering only games with a finite number of moves, that is path quantifiers 
corresponding to finite words on {A,S}. 

Definition 12 {AS-UTIj) An AS-LTL formula is a pair g = a.(p, where cp is an LTL 
formula and a G {A, S}~^ is a path quantifier. 

The following definition describes the games corresponding to the finite path quantifiers. 

Definition 13 (semantics of AS-hTh) Let p be a finite path of a ^.-labelled tree T . 
Then: 

• p \=Aa.ip if for all finite extensions p' of p it holds that p' \= a.ip. 

• p\= Sa.ip if for some finite extension p' of p it holds that p' \= a.ip. 

• p \=A.ip if for all infinite extensions p' of p it holds that T{p') \=ltl 'P- 

• p\= S.Lp if for some infinite extension p' of p it holds that T{p') \=ltl 'P- 
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We say that the H-labelled tree T satisfies the AS-LTL formula g, and we write T \= g, if 
Po \= g, where po = e is the root of T. 

^f-LTL allows for path quantifiers consisting of an arbitrary combination of ^s and 
£'s. Each combination corresponds to a different set of rules for the game between A and 
E. In Theorem 4 we show that all this freedom in the definition of the path quantifier is 
not needed. Only six path quantifiers are sufficient to capture all the possible games. This 
result is based on the concept of equivalent path quantifiers. 

Consider formulas^. Fp and^£^.Fp. It is easy to see that the two formulas are equi- 
satisfiable, i.e., if a tree T satisfies „4. F p then it also satisfies .A£^. Fp, and vice- versa. In 
this case, path quantifiers A and AS have the same "power" , but this depends on the fact 
that we use the path quantifiers in combination with the LTL formula F p. If we combine 
the two path quantifiers with different LTL formulas, such as Gp, it is possible to find 
trees that satisfy the latter path quantifier but not the former. For this reason, we cannot 
consider the two path quantifiers equivalent. Indeed, in order for two path quantifiers to 
be equivalent, they have to be equi-satisfiable for all the LTL formulas. This intuition is 
formalized in the following definition. 

Definition 14 (equivalent path quantifiers) Let a and a' be two path quantifiers. We 

say that a implies a', written a a' , if for all J^-labelled trees T and for all LTL formulas 
ip, T \= a. if implies T \= a'. if. We say that a is equivalent to a' , written a ^ a' , if a a' 
and a' a. 

The following lemma describes some basic properties of path quantifiers and of the 
equivalences among them. We will exploit these results in the proof of Theorem 4. 

Lemma 3 Let a, a! G {,4, £"}*. The following implications and equivalences hold. 

1. oAAa' ~ cAa' and a££a' ~ a£a' . 

2. cAa' aa' and aa' ~^ a£a' , if aa' is not empty. 

3. cAa' cASAa' and a£A£a' a£a' . 

4- cA£A£a' ~ cA£a' and a£A£Aa' ~ a£Aa' . 

Proof. In the proof of this lemma, in order to prove that aa' aa" we prove that, given 
an arbitrary tree T and an arbitrary LTL formula if,p\= a'.ip implies p \= a".ip for every 
finite path p of T. Indeed, if p \= a' .ip implies p \= a" .(p for all finite paths p, then it is easy 
to prove, by induction on a, that p |= aa' implies p |= aa" .p for all finite paths p. In the 
following, we will refer to this proof technique as prefix induction. 

1. We show that, for every finite path p, p \=AAa'.p if and only \f p \=Aa'.ip: then the 
equivalence of aAAa' and aAa' follows by prefix induction. 

Let us assume that p \=AAa'.ip. We prove that p \=Aa'.(p, that is, that p' \= a'.ip 
for every finite^ extension p' of p. Since p \=AAa'.(p, by Definition 13 we know that, 

3. We assume that a' is not the empty word. The proof in the case a' is the empty word is similar. 
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for every finite extension of p, \=Aol.^:>. Hence, again by Definition 13, we know 
that for every finite extension of p', p" |= a'. 99. Since p' is a finite extension of p', 
we can conclude that \= o! .ip. Therefore, p' |= o! .ip holds for all finite extensions p' 
of p. 

Let us now assume that p \=Aci.ip). We prove that p \=AAo! .ip^ that is, for all finite 
extensions p' of p, and for all finite extensions p" of p', p" |= a'.c/?. We remark that 
the finite path p" is also a finite extension of p, and therefore p" |= ol .^p holds since 

This concludes the proof of the equivalence of olAAoI and (xAol . The proof of the 
equivalence of aSSa' and aSa' is similar. 

2. Let us assume first that a' is not an empty word. We distinguish two cases, depending 
on the first symbol of a'. If a' = Aa" , then we should prove that cAAa" oAa" , 
which we already did in item 1 of this lemma. If a' = £a" , then we show that, for 
every finite path p, \i p \= A£a" .(p then p \= £a" .ip: then oAa' aa' follows by 
prefix induction. Let us assume that p \= A£a" .ip. Then, for all finite extensions p' of 
p there exists some finite^ extension p" of p' such that p" \= a'. (p. Let us take p' = p. 
Then we know that there is some finite extension p" of p such that p" \= a'.ip, that is, 
according to Definition 13, p \= Sol .ip. 

Let us now assume that a' is the empty word. By hypothesis, olol 7^ e, so a is not 
empty. We distinguish two cases, depending on the last symbol of a. If a = cJA^ then 
we should prove that ol'AA a'A, which we already did in item 1 of this lemma. 
If a = a"£, then we prove that for every finite path p, ii p \= SA.tp then p \= S.ip: 
then ol' EA ^ a" 8 follows by prefix induction. Let us assume that p \= EA.ip. By 
Definition 13, there exists some finite extension p' of p such that, for every infinite 
extension p" oi p' we have T{p") |=ltl ^- Let p" be any infinite extension oi p' . We 
know that p" is also an infinite extension of p, and that T{p") |=ltl Then, by 
Definition 13 we deduce that p\= £.(p. 

This concludes the proof that cxAa' ^ aa' . The proof that aa' a£a' is similar. 

3. By item 1 of this lemma we know that oAa' oAAa' and by item 2 we know that 
oAAa' oASAa'. This concludes the proof that oAa' oASAa'. The proof that 
aSASa' aSa' is similar. 

4. By item 3 of this lemma we know that {cA)£A£a' {aA)£a'. Moreover, again 
by item 3, we know that oA{£a') aA£A{£a'). Therefore, we deduce aA£a' ~ 
aA£A£a' . The proof that a£Aa' ~ a£A£Aa' is similar. □ 

We can now prove the first main result of the paper: each finite path quantifier is 
equivalent to a canonical path quantifier of length at most three. 

Theorem 4 For each finite path quantifier a there is a canonical finite path quantifier 

a' G {A,£,A£,£AA£A,£A£} 

4. We assume that a" is not the empty word. The proof in the case where a" is empty is similar. 
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such that a ^ a' . Moreover, the following implications hold between the canonical finite 
path quantifiers: 

A —^A£A ^-AS (1) 

\ \ 

SA — ^ £A£ £ 

Proof. We first prove that each path quantifier a is equivalent to some canonical path 
quantifier a'. By an iterative application of Lemma 3(1), wc obtain from a a path quantifier 
a" such that a ~ a" and a" does not contain two adjacent ^ or Then, by an iterative 
application of Lemma 3(4), we can transform a" into an equivalent path quantifier a' of 
length at most 3. The canonical path quantifiers in (1) are precisely those quantifiers of 
length at most 3 that do not contain two adjacent ,4 or £. 
For the implications in (1): 

• A -^ASA and £AS £ come from Lemma 3(3); 

• A£A £A aiLdA£ £A£ come from Lemma 3(2); 

• A£A ~^A£ and £A £A£ come from Lemma 3(2). □ 

We remark that Lemma 3 and Theorem 4 do not depend on the usage of LTL for formula 
Lp. They depend on the general observation that a a' whenever player E can select for 
game a' a set of paths which is a subset of those selected for game a. 

4.2 Infinite Games 

We now consider infinite games, namely path quantifiers consisting of infinite words on 
alphabet \A,£}. We will see that infinite games can express all the finite path quantifiers 
that we have studied in the previous subsection, but that there are some infinite games, cor- 
responding to an infinite alternation of the two players A and E, which cannot be expressed 
with finite path quantifiers. 

In the case of infinite games, we assume that player E moves according to a strategy 
that suggests how to extend each finite path. We say that T |= a.^p, where a is an infinite 
game, if there is some winning strategy ^ for player E. A strategy ^ is winning if, whenever 
p is an infinite path of T obtained according to a — i.e., by allowing player A to play in an 
arbitrary way and by requiring that player E follows strategy ^ — then p satisfies the LTL 
formula (p. 

Definition 15 (strategy) A strategy for a Ti-labelled tree T is a mapping ^ : P*(t) 
P* (T ) that maps every finite path p to one of its finite extensions ^ (p) . 

Definition 16 (semantics of A£-UT\u) Let a = HqIIi ■ ■ ■ with Hj G {A, £} be an infinite 
path quantifier. An infinite path p is a possible outcome of game a with strategy ^ if there 
is a generating sequence for it, namely, an infinite sequence po,pi, . . . of finite paths such 
that: 

• Pi are finite prefixes of p; 
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• Po = e is the root of tree T ; 

• ifUi = £ then pi+i = C{Pi); 

• if Hi = A then pi^i is an (arbitrary) extension of pi. 

We denote with Vq- {a, ^) the set of infinite paths of T that are possible outcomes of game a 
with strategy ^. The tree T satisfies the AS-LTL formula g = a.(p, written T \= g, if there 
is some strategy ^ such that T{p) \=ltl ^ for all paths p £ 7^7- (q,^). 

We remark that it is possible that the paths in a generating sequence stop growing, i.e., 
that there is some Pi such that Pi = pj for ah j > i. In this case, according to the previous 
definition, all infinite paths p that extend Pi are possible outcomes. 

In the next lemmas we extend the analysis of cqTiivalcnce among path quantifiers to 
infinite games. ^ The first lemma shows that finite path quantifiers arc just particular cases 
of infinite path quantifiers, namely, they correspond to those infinite path quantifiers that 
end with an infinite sequence of ^ or of 

Lemma 5 Let a be a finite path quantifier. Then a(4)^ ~ oA and a{£)^ ~ a£. 

Proof. We prove that a{A)^ ~ oA. The proof of the other equivalence is similar. 

First, we prove that a(A)'^ cA. Let T be a tree and ip be an LTL formula such that 
T \= a{A)'^.f. Moreover, let ^ be any strategy such that all p G Vq- {a{A)'^ , £,) satisfy (p. In 
order to prove that T \= cA.ip it is sufficient to use the strategy ^ in the moves of player 
E, namely, whenever we need to prove that p \= Sol .^p according to Definition 13, we take 
p' = ^(p) and we move to prove that p' [= ol .fp. In this way, the infinite paths selected by 
Definition 13 for oA coincide with the possible outcomes of game a(^)^, and hence satisfy 
the LTL formula p). 

This concludes the proof that a{A)^ oA. We now prove that oA ~^ a{A)'^. We distinguish 
three cases. 

• Case a = (^)", with n > 0. 

In this case, oA ^A (Lemma 3(1)) and a{A)^ = (A)^. Let T be a tree and (p be an 
LTL formula. Then T \=A.p if and only if all the paths of T satisfy formula ip. It is 
easy to check that also T |= (A)^.ip if and only if all the paths of T satisfy formula (p. 
This is sufficient to conclude that (^)M - (^)"(^)^. 

• Case a = £a'. 

In this case, cA ^ £A. Indeed, cA is an arbitrary path quantifier that starts with £ 
and ends with^. By Lemma 3(1), we can collapse adjacent occurrences of^ and of 
£ , thus obtaining oA ~ {£A)'" for some n > 0. Moreover, by Lemma 3(4) we have 
(£4)" ~ £A. 

Let T be a tree and ip be an LTL formula. Then T |= £A.(p if and only if there is 
some finite path p of T such that all the infinite extensions of p satisfy (p. Now, let 

5. The definitions of the implication and equivalence relations (Definition 14) also apply to the case of 
infinite path quantifiers. 
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^ be any strategy such that ^(e) = p. Then every infinite path p G Vf{^(^'{^)'^iO 
satisfies ip. Indeed, since player E has the first turn, all the possible outcomes are 
infinite extensions of ^(e) = p. 

This concludes the proof that Sa'A £a'{A)'^. 

• Case a = a', with n > 0. 

Reasoning as in the proof of the previous case, it is easy to show that cxA ^A£A. 

Let T be a tree and (p be an LTL formula. Then T \= A£A.(p if and only if for 
every finite path p oi T there is some finite extension p' of p such that all the infinite 
extensions of p' satisfy the formula ip. Let ^ be any strategy such that p' = ^(p) is a 
finite extension of p such that all the infinite extensions of p' satisfy (p. Then every 
infinite path p G 7^7- ((4)"£^a'(4)'^, ^) satisfies ip. Indeed, let po,pi, . . . ,pn,Pn+i, ■ ■ ■ be 
a generating sequence for p. Then Pn+i = ^{Pn) and p is an infinite extension of Pn+i- 
By construction of ^ we know that p satisfies ip. 

This concludes the proof that {A)''£aA {A)''£a'{A)'^ . 

Every finite path quantifier a falls in one of the three considered cases. Therefore, we can 
conclude that cxA a{A)'^ for every finite path quantifier a. □ 

The next lemma defines a sufficient condition for proving that a a'. This condition 
is useful for the proofs of the forthcoming lemmas. 

Lemma 6 Let a and a' be two infinite path quantifiers. Let us assume that for all 'S-labelled 
trees and for each strategy ^ there is some strategy ^' such that Vq-ipi' ,^') C 'P'j-{a,S^). Then 
a a' . 

Proof. Let us assume that T |= a.(p. Then there is a suitable strategy ^ such that all 
p G ^t(o^)0 satisfy the LTL formula (p. Let ^' be a strategy such that all Vq-{a',^') C 
7'7-(a,^). By hypothesis, all possible outcomes for game a' and strategy ^' satisfy the LTL 
formula ip, and hence T |= a' .^p. This concludes the proof that a a'. □ 

In the next lemma we show that all the games where players A and E alternate infinitely 
often arc equivalent to one of the two games {A£Y and {£A)'^ . That is, we can assume that 
each player extends the path only once before the turn passes to the other player. 

Lemma 7 Let a he an infinite path quantifier that contains an infinite number of A and 
an infinite number of £. Then a ~ {A£)'^ or a {£A)'^ . 

Proof. Let a = (£:)"i (yl)"'^ )n2 . . . ^j^h mi,ni > 0. We show that a ~ {A£)'^. 

First, we prove that (A£)^ ^ a:. Let ^ be a strategy for the tree T and let p be an infinite 
path of T. We show that if p G 'P7"(a,0 then p G Vt{{A£)'^ ,^). By Lemma 6 this is 
sufficient for proving that {A£)^ a. 

Let po,pi, . . . be a generating sequence for p according to a and ^. Moreover, let p'q = e, 

P'2i+1 ~ Pnii+niH |-mi_i+ni_i+mi ^nd and P2i+2 ~ Pmi+mH hmi_i+n,_i+mi+l • It is easy tO 

check that p'q,p'i,P2, . . . is a valid generating sequence for p according to game {A£)'^ and 
strategy ^. Indeed, extensions p'q — > p'^, p'2 — )■ p'^, p'^^ — )• p'^, ■ ■ ■ are moves of player A, 
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and hence can be arbitrary. Extensions p'^ ~^ v'21 "i^z ~^ p'ai ■ ■ ■ correspond to extensions 
Pmj -> Pmi+1, Pmi+ni+ma ^ Pmi+m+mz+i; which are moves of player E and hence 
respect strategy ^. 

We now prove that a -w (AS)^. Let ^ be a strategy for the tree T. We define a strategy f 
such that if p € V^{{A£)^, then p G Vt{(^^ 0- Lemma 6 this is sufficient for proving 

that a {ASy. 

Let p be a finite path. Then ^(p) = £,^f'{p) with kp = X]l=i ^i- That is, strategy ^ on path 
p is obtained by applying kp times strategy ^. The number of times strategy ^ is applied 
depends on the length \p\ of path p. 

We show that, if p is a possible outcome of the game a with strategy ^, then p is a possible 
outcome of the game {A£Y '^ith strategy ^. Let pQ,p\^... be a generating sequence for p 
according to {A£Y and ^. Then 

Po , Pi,-, Pi , ^C(Pi),^^(Pi),-,C(Pi) , P3,- - -,P3 , 

mi times ni times m2 times 

g(P3),e'(p3),-,r^(p3) ,P5,---,P5, - 
n2 times ms times 

is a valid generating sequence for p according to a and The extensions corresponding to 
an occurrence of symbol £^ in a consist of an application of the strategy ^ and are hence valid 
for player E. Moreover, extension ^"»(p2i-i) P2i+i is a valid move for player A because 
P2i+i is an extension of ^"''(p2j-i)- Indeed, ^"'(^21-1) is a prefix of p2i (and hence of p2«+i) 
since p2i = C(P2i-i) = C''''^'-HP2t-i) and kp.^^_^ = I]L^=i~'' '^o; > m, since |p2i-i| > i- The 
other conditions of Definition 16 can be easily checked. 

This concludes the proof that a ~ (AS)'' for a = )"i (A)"'-' • • • . The proof that 

a ~ (SA)'^ for a = (S)""^ (S)""^ ... is similar. □ 

The next lemma contains other auxiliary results on path quantifiers. 
Lemma 8 Let a be a finite path quantifier and a' be an infinite path quantifier. 

1. oAa' aa' and aa' -w aSa' . 

2. a{AY -w oAa' and a£a! a{£)'^ . 

Proof. 

1. We prove that oAa' aa'. Let ^ be a strategy for tree T and let p be an infinite 
path of T. We show that if p £ ^^-(aa',^) then p G Vj-ioAa' ,£,). Let po,pi,... 
be a generating sequence for p according to aa' and Then it is easy to check that 
Po,Pi, . . . ,Pi-i,Pi,Pi,Pi+i, . . ., where i is the length of a, is a valid generating sequence 
for p according to oAa' and ^. Indeed, the extension pi — >■ pj is a valid move for player 
A. This concludes the proof that oAa' aa'. 

Now we prove that aa' ^ a£a'. If a' = (f)'^, then a£a' = a£{£)'^ = a{£)'^ = aa', 
and a£a' aa' is trivially true. If a' ^ i£)'^ , we can assume, without loss of 
generality, that a' = Aa". In this case, let ^ be a strategy for tree T and let p be a 
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path of T. We show that if p G Vq-{(x£a' then p € P7-(aa',^). Let po,pi, ... be 
a generating sequence for p according to aSa' and ^. Then it is easy to check that 
Po,pi, . . . ,pi,pi+2, ■ ■ where i is the length of a, is a valid generating sequence for p 
according to aa' and ^. Indeed, extension pi — > pi^2 is valid, as it corresponds to the 
first symbol of a' and we have assumed it to be symbol A. This concludes the proof 
that aa' a£a'. 

2. We prove that a(A)'^ aa'. The proof that aa' -w a{£)'^ is similar. 

Let ^ be a strategy for tree T and let p be an infinite path of T. We show that if 
p G Vq- {a{A)'^ , then p € Tq-{aa',^). Let po,pi, ... be a generating sequence for p 
according to aa' and S^. Then it is easy to check that po,pi, ■ ■ ■ is a valid generat- 
ing sequence for p according to a{A)'^ and ^. In fact, a{A)^ defines less restrictive 
conditions on generating sequences than aa'. 

This is sufficient to conclude that a{A)'^ aa'. □ 

We can now complete the picture of Theorem 4: each finite or infinite path quantifier is 
equivalent to a canonical path quantifier that defines a game consisting of alternated moves 
of players A and E of length one, two, three, or infinity. 

Theorem 9 For each finite or infinite path quantifier a there is a canonical path quantifier 

a' e {A, £,A£, £A,A£A, £A£, iA£)'^, i£A)'^} 

such that a ^ a' . Moreover, the following implications hold between the canonical path 
quantifiers: 

A —^A£A {A£)'^ —~^A£ (2) 

1 1 1 

£A (£4)^ — £A£ —s. s 

Proof. We first prove that each path quantifier is equivalent to a canonical path quantifier. 
By Theorem 4, this is true for the finite path quantifiers, so we only consider infinite path 
quantifiers. 

Let a be an infinite path quantifier. We distinguish three cases: 

• a contains an infinite number of^ and an infinite number of £: then, by Lemma 7, a 
is equivalent to one of the canonical games {A£)'^ or {£A)^. 

• a contains a finite number of ^: in this case, a ends with an infinite sequence of £, 
and, by Lemma 5, a ~ a" for some finite path quantifier a". By Theorem 4, a" is 
equivalent to some canonical path quantifier, and this concludes the proof for this 
case. 

• a contains a finite number of £: this case is similar to the previous one. 
For the implications in (2): 
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(AS)'^ ^ (SA)'^ comes from Lemma 8(1), by taking the empty word for a and a' = 
{ASr. 

ASA ^ (AS)'^, {M)"^ ^M,SA-^ (SA)'^, and (SA)'^ SA£ come from Lemmas 5 
and 8(2). 



The other imphcations come from Theorem 4. 



□ 



4.3 Strictness of the Implications 

We conclude this section by showing that ah the arrows in the diagram of Theorem 9 
describe strict imphcations, namely, the eight canonical path quantifiers are all different. 
Let us consider the following g}-labelled binary tree, where the root is labelled by i 
and each node has two children labelled with p and q: 




Let us consider the following LTL formulas: 

• F p: player E can satisfy this formula if he moves at least once, by visiting a p-labelled 
node. 

• GFp: player E can satisfy this formula if he can visit an infinite number of p-labelled 
nodes, that is, if he has the final move in a finite game, or if he moves infinitely often 
in an infinite game. 

• F Gp: player E can satisfy this formula only if he takes control of the game from a 
certain point on, that is, only if he has the final move in a finite game. 

• G -ig: player E can satisfy this formula only if player A never plays, since player A 

can immediately visit a g-labelled node. 

• Xp: player E can satisfy this formula by playing the first turn and moving to the left 
child of the root node. 

The following graph shows which formulas hold for which path quantifiers: 

:Fp '^GFp '¥Gp ^G'^q] 



A 



ASA 



; xp \sA 



\{sAr 



-^AS 

J i 

^SAS 



s] 
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5. A Planning Algorithm for AS-LTL 

In this section we present a planning algorithm for AS-LTL goals. We start by showing 

how to build a parity tree automaton that accepts all the trees that satisfy a given AS-LTL 
formula. Then we show how this tree automaton can be adapted, so that it accepts only 
trees that correspond to valid plans for a given planning domain. In this way, the problem 
of checking whether there exists some plan for a given domain and for an AS-LTL goal is 
reduced to the emptiness problem on tree automata. Finally, we study the complexity of 
planning for AS-LTL goals and we prove that this problem is 2EXPTIME-complete. 

5.1 Tree Automata and AS-LTL Formulas 

Berwanger, Gradel, and Kreutzer (2003) have shown that AS-LTL formulas can be ex- 
pressed directly as CTL* formulas. The reduction exploits the equivalence of expressive 
power of CTL* and monadic path logic (Moller & Rabinovich, 1999). A tree automaton 
can be obtained for an AS-LTL formula using this reduction and Theorem 2. However, 
the translation proposed by Berwanger et al. (2003) has an upper bound of non-elementary 
complexity, and is hence not useful for our complexity analysis. In this paper we describe 
a different, more direct reduction that is better suited for our purposes. 

A S-labelled tree T satisfies a formula a.(p if there is a suitable subset of paths of the 
tree that satisfy ip. The subset of paths should be chosen according to a. In order to 
characterize the suitable subsets of paths, we assume to have a lu-marking of the tree T, 
and we use the labels w to define the selected paths. 

Definition 17 (lu-marking) A w-marking of the T^-lahelled tree T is a {^x{w^w}) -la- 
helled tree Tw such that dom(T) = dom(Tt(,) and, whenever T(x) = a, then Tyj(x) = {cr,w) 
or Tu,{x) = {a,w). 

We exploit tt;-markings as follows. We associate to each AS-LTL formula a.(p a CTL* 
formula [[a. 99]] such that the tree T satisfies the formula a.(p if and only if there is a w- 
marking of T that satisfies 

Definition 18 {AS-LTL and CTL*) Let a.ip be an AS-LTL formula. The CTL* formula 
[[a.ip]] is defined as follows: 



In the case of path quantifiers A and S, there is a direct translation into CTL* that does 
not exploit the u)-marking. In the other cases, the CTL* formula [[a.y']] is the conjunction 



[AM] 

[[S.^]] 
[[SAcp]] 
[ASAif]] 

[ASM] 

[[SAS.ip]] 

[[{AsrM] 
[[{sArM] 



^¥w ^ k{¥w if) 
AGEFw A A(Fw if) 
AG EXG w A A(F Gw ^ip) 
EF AG EXG w A A(F Gw ^ ^ 
KGLFw A A{G¥w ip) 
EFAGEFw A A(GFw ^ ip) 
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of two sub- formulas. The first one characterizes the good markings according to the path 
quantifier a, while the second one guarantees that the paths selected according to the 
marking satisfy the LTL formula (p. In the case of path quantifiers £A and ASA, we mark 
with w the nodes that, once reached, guarantee that the formula (p is satisfied. The selected 
paths are hence those that contain a node labelled by w (formula Fw). In the case of 
path quantifiers and £A£, we mark with w all the descendants of a node that define an 
infinite path that satisfies if. The selected paths are hence those that, from a certain node 
on, are continuously labelled by w (formula FGu;). In the case of path quantifiers (AS)'^ 
and (SA)'^, finally, we mark with w all the nodes that player E wants to reach according 
to its strategy before passing the turn to player A. The selected paths are hence those that 
contain an infinite number of nodes labelled by w (formula GFw;), that is, the paths along 
which player E moves infinitely often. 

Theorem 10 A T,-labelled tree T satisfies the AS-LTL formula a.(p if and only if there is 
some w-marking of T that satisfies formula [[a.ip]]. 

Proof. In the proof, we consider only the cases of a =A£A, a =AS and a = (AS)'^. The 

other cases are similar. 

Assume that a tree T satisfies a.cp. Then we show that there exists a w-marking of T 
that satisfies [[a.*/']]- 

• Case a = ASA. According to Definition 13, if the tree T satisfies ASA.<f, then every 
finite path p of T can be extended to a finite path p' such that all the infinite extensions 
p" of p' satisfy tp. Let us mark with w all the nodes of Tyj that correspond to the 

extension p' of some path p. By construction, the marked tree satisfies AG EF w. It 
remains to show that the marked tree satisfies A(Fii; — > 99). 

Let us consider any path p" in the tree that satisfies F w, and let us show that p" also 
satisfies ip. Since p" satisfies F w, we know that it contains nodes marked with w. Let 
p' be the finite prefix of path p" up to the first node marked by w. By construction, 
there exists a finite path p such that p' is a finite extension of p and all the infinite 
extensions of p' satisfy tp. As a consequence, also p" satisfies (p. 

• Case a =AS. According to Definition 13, if the tree T satisfies AS .cp, then for all the 
finite paths p there is some infinite extension of p that satisfies 99. Therefore, wc can 
define a mapping m : P*{t) — )> P^{T) that associates to a finite path p an infinite 
extension m{p) that satisfies ip. We can assume, without loss of generality, that, if p' 
is a finite extension of p and is also a prefix of m{p), then m{p') = m{p). That is, as 
far as p' extends the finite path p along the infinite path m{p) then m associates to 
p' the same infinite path m{p). 

For every finite path p, let us mark with w the node of that is the child of p 
along the infinite path m{p). By construction, the marked tree satisfies AGEXGii;. 
It remains to show that the marked tree satisfies A{FGw ^ (p). 

Let us consider a path p" in the tree that satisfies F G and let us show that p" also 
satisfies 99. Since p" satisfies F G we know that there is some path p such that all 
the descendants of p along p" are marked with w. In order to prove that p" satisfies 99 
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we show that p" = m{p). Assume by contradiction that m{p) ^ p" and let p' be the 
longest common prefix of m{p) and p". We observe that p is a prefix of p' , and hence 
m{p) = m{p'). This implies that the child node of p' along p" is not marked with w, 
which is absurd, since by definition of p all the descendants of p along p" are marked 
with w. 

• Case a = (AS)'^. According to Definition 16, if the tree T satisfies {A£)'^.<f, then 
there exists a suitable strategy ^ for player E so that all the possible outcomes of game 
a with strategy satisfy ip. Let us mark with w all the nodes in that correspond 
to the extension ^{p) of some finite path p. That is, we mark with w all the nodes 
that are reached after some move of player E according to strategy ^. The marked 
tree satisfies the formula AGEF?i;, that is, every finite path p can be extended to a 
finite path p' such that the node corresponding to p' is marked with w. Indeed, by 
construction, it is sufficient to take p' = ^{p") for some extension p" of p. It remains 
to show that the marked tree satisfies A(GFu; — > ip). 

Let us consider a path p in the tree that satisfies G F ■u;, and let us show that p also 
satisfies ip. To this purpose, we show that p is a possible outcome of game a with 
strategy ^. Wc remark that, given an arbitrary finite prefix p' of p it is always possible 
to find some finite extension p" of p' such that ^{p") is also a prefix of p. Indeed, the 
set of paths P = {p : ^{p) is a finite prefix of p} is infinite, as there are infinite nodes 
marked with w in path p. 

Now, let po,pi,p2, ■ ■ ■ be the sequence of finite paths defined as follows: po = (e) is 
the root of the three; P2k+i is the shortest extension of p2k such that ^(p2fc+i) is a 
prefix of p; and P2k+2 = C{P2k+i)- It is easy to check that pQ,pi,p2, ■ ■ ■ is a generating 
sequence for p according to {A£)'^ and ^. Hence, by Definition 16, the infinite path p 
satisfies the LTL formula (p. 

This concludes the proof that if T satisfies a.cp, then there exists a w-marking of T that 
satisfies [[a.(^]]. 

Assume now that there is a i/;-marked tree Tyj that satisfies [[a.'/']]. We show that T satisfies 
a.ip. 

• Case a =A£A. The marked tree satisfies the formula AGEFii;. This means that for 
each finite path p (AG) there exists some finite extension p' such that the final node 
of y is marked by w (EF w) . Let p" be any infinite extension of such a finite path p'. 
We show that p" satisfies the LTL formula (p. Clearly, p" satisfies the formula Fw. 
Since the tree satisfies the formula A(Ftt; — )■ ip), all the infinite paths that satisfy Fw 
also satisfy ip. Therefore, p" satisfies the LTL formula (p. 

• Case a = AS. The marked tree satisfies the formula AGEXGti;. Then, for each 
finite path p (AG) there exists some infinite extension p' such that, from a certain 
node on, all the nodes of p' are marked with w (EXGw). We show that, if p' is the 
infinite extension of some finite path p, then p' satisfies the LTL formula ip. Clearly, 

p' satisfies the formula FG?«. Since the tree satisfies the formula A(FG?l' (p), all 
the infinite paths that satisfy F Gw also satisfy ip. Therefore, p' satisfies the LTL 
formula (p. 
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• Case a = {A£)'^. Let ^ be any strategy so that, for every finite path p, the node 
corresponding to ^(p) is marked with w. We remark that it is always possible to define 
such a strategy. In fact, the marked tree satisfies the formula AGEFu), and hence, 
each finite path p can be extended to a finite path p' such that the node corresponding 
to p' is marked with w. 

Let p be a possible outcome of game a with strategy ^. We should prove that p satisfies 
the LTL formula 99. By Definition 16, the infinite path p contains an infinite set of 
nodes marked by w: these are all the nodes reached after a move of player E. Hence, 
p satisfies the formula GFu;. Since the tree satisfies the formula A(GF?i; — )■ tp), all 
the infinite paths that satisfy G F it; also satisfy (p. Therefore, path p satisfies the LTL 
formula ip. 

This concludes the proof that, if there exists a u;-marking of tree T that satisfies [[a •</:']], 
then T |= a.(p. □ 

Kupferman (1999) defines an extension of CTL* with existential quantification over 
atomic propositions (EGCTL*) and examines complexity of model checking and satisfiability 
for the new logic. We remark that ^£^-LTL can be seen as a subset of EGCTL*. Indeed, 
according to Theorem 10, a S-labelled tree satisfies an AS-UTh formula a.(p if and only if 
it satisfies the EGCTL* formula 3it;. [[a. </?]]. 

In the following definition we show how to transform a parity tree automaton for the 
CTL* formula [[a.'/']] into a parity tree automaton for the AS-LTL formula a.ip. This 
transformation is performed by abstracting away the information on the if;-marking from 
the input alphabet and from the transition relation of the tree automaton. 

Definition 19 Let A = {'Ex{w,w},V,Q,qo,6, P) be a parity tree automaton. The parity 

tree automaton A^^^ = (E, D, Q, go? <^3«)) obtained from A by abstracting away the w- 
marking, is defined as follows: 6sw{Q,(^,d) = S{q, {a,w),d) U6{q, {a,W),d). 

Lemma 11 Let A and A^^ be two parity tree automata as in Definition 19. A-^y, accepts 
exactly the T,-labelled trees that have some w-marking which is accepted by A. 

Proof. Let be a (Sx{tt;,IZJ})-labelled tree and let T be the corresponding S-labelled 
tree, obtained by abstracting away the tu-marking. We show that if is accepted by A, 
then T is accepted by A-^w Let r : r — )■ Q be an accepting run of on A. Then r is also 
an accepting run of T on A^yj. Indeed, if x G r, arity{x) = d, and Tyj{x) = {(T,m) with 
m G {w,w}, then we have {r{x • 0), . . . , r(x ■ d—1)) € 6{r{x), {a, m), d). Then t(x) = a, 
and, by definition of ^3^;, we have (r(x ■ 0), . . . ,r{x ■ d—1)) G Ssw{f{x),cr,d). 
Now we show that, if the S-labelled tree T is accepted by A^yj, then there is a {'Ex{w,w})- 
labellcd tree Tw that is a it;-marking of T and that is accepted by A. Let r : r ^ Q be an 
accepting run of T on A-^^,. By definition of run, we know that if a; € r, with arity(x) = d 
and T{x) = a, then {r{x • 0), . . . ,r{x ■ d—1)) G (5g^(r(x), cr, c/). By definition of S^w, we 
know that {r{x ■ 0),...,r{x ■ d—1)) € S{r{x),{a,w),d) U S{r{x),{a,w),d). Let us define 
Tw{x) = (a, w) if {r{x • 0), . . . , r{x ■ d—1)) £ 5{r{x), (cr, w),d), and Tw{x) = {a,w) otherwise. 
It is easy to check that r is an accepting run of on A. □ 
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Now we have all the ingredients for defining the tree automaton that accepts all the 
trees that satisfy a given AS-LTL formula. 

Definition 20 (tree automaton for AS-UTL) Let V CW be a finite set of arities, and 
let a.(p he an A6-LTL formula. The parity tree automaton is obtained by applying the 
transformation described in Definition 19 to the parity automaton A^^^ built according to 
Theorem 2. 

Theorem 12 The parity tree automaton ^^.^ accepts exactly the Ti-labelled V-trees that 
satisfy the formula a.ip. 

Proof. By Theorem 2, the parity tree automaton A^^ ^jj accepts all the P-trees that satisfy 
the CTL* formula [[a. 99]]. Therefore, the parity tree automaton A^_^ accepts all the P-trees 
that satisfy the formula a.(p by Lemma 11 and Theorem 10. □ 

The parity tree automaton has a parity index that is exponential and a number of 
states that is doubly exponential in the length of formula 99. 

Proposition 13 The parity tree automaton has 2^°"*''^ states and parity index 2'^^^'^^^ . 

Proof. The construction of Definition 19 does not change the number of states and the 
parity index of the automaton. Therefore, the proposition follows from Theorem 2. □ 

5.2 The Planning Algorithm 

We now describe how the automaton A^^^ can be exploited in order to build a plan for goal 
a.ip on a given domain. 

We start by defining a tree automaton that accepts all the trees that define the valid 
plans of a planning domain D = {T,, ao, A, R) . We recall that, according to Definition 8, 
transition relation R maps a state a € S and an action a € A into a tuple of next states 
(cTi,cT2, ...,an) = R{a,a). 

In the following we assume that T> is a finite set of arities that is compatible with domain 
D, namely, if R{(J, a) = (cti, . . . , aa) for some a eT, and a E A, then d eV. 

Definition 21 (tree automaton for a planning domain) Let D = (S,cro,^, -R) be a 

planning domain and let T> be a set of arities that is compatible with domain D. The 
tree automaton A^ corresponding to the planning domain is A^ = (Sx^, P, S, cto, /3o); 
where (ai, . . . , an) G (5d(cj, (a, a), d) if (ai, . . . , Ud) = R{(y, a) with d > 0, and /3o(it) = for 
all (7 G S. 

According to Definition 10, a (Sx^lj-labelled tree can be obtained from each plan tt for 
domain D. Now we show that also the converse is true, namely, each (Ex A)-labelled tree 
accepted by the tree automaton A^ induces a plan. 

Definition 22 (plan induced by a tree) Let T be a [T^x A) -labelled tree that is ac- 
cepted by automaton A^. The plan tt induced by T on domain D is defined as fol- 
lows: 7r((To, o"i, . . . , (Tn) = a if there is some finite path p in T with T{p) = (o"o,oo) • 
(c7i,ai) • • • (c7„,a„) and a = an- 
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The following lemma shows that Definitions 10 and 22 define a one-to-one correspon- 
dence between the valid plans for a planning domain D and the trees accepted by automaton 

Lemma 14 Let T be a tree accepted by automaton A^ and let it be the corresponding 
induced plan. Then n is a valid plan for domain D, and T is the execution tree corresponding 
to TT. Conversely, let tt be a plan for domain D and let T be the corresponding execution 
structure. Then T is accepted by automaton and tt is the plan induced by T . 

Proof. This lemma is a direct consequence of Definitions 10 and 22. □ 

We now define a parity tree automaton that accepts only the trees that correspond to the 
plans for domain D and that satisfy goal g = a.(p. This parity tree automaton is obtained 
by combining in a suitable way the tree automaton for ^£^-LTL formula g (Definition 20) 
and the tree automaton for domain D (Definition 21). 

Definition 23 (instrumented tree automaton) Let V be a set of arities that is com- 
patible with planning domain D. Let also = {E,V,Q,qQ,S, P) be a parity tree au- 
tomaton that accepts only the trees that satisfy the AS-LTL formula g. The parity tree 

automaton A^ ^ corresponding to planning domain D and goal g is defined as follows: 

A^g = {T,x A,V,QxT., {go, ao),S', (3'), where {{qi,ai), . . . ,{qd,ad)) G 5'{{q,a),{a,a),d) if 
{qi, . . . ,q(i) € S{q, a, d) and {ai, . . . , a^) = R{(t, a) with d > 0, and where I3'(q, a) = P{q). 

The following lemmas show that solutions to planning problem {D,g) are in one-to-one 
correspondence with the trees accepted by the tree automaton A^ g. 

Lemma 15 Let T be a (Ex A) -labelled tree thai is accepted by automaton A^ g, and let tt 
be the plan induced by T on domain D. Then the plan tt is a solution to planning problem 
{D,g). 

Proof. According to Definition 11, we have to prove that the execution tree corresponding 
to TT satisfies the goal g. By Lemma 14, this amounts to proving that the tree T satisfies g. 
By construction, it is easy to check that if a (Sx74)-labeled tree T is accepted by A^ ^, then 
it is also accepted by A^. Indeed, H rD,g : r — )■ Q x S is an accepting run of T on A^ g, 
then : r — >■ Q is an accepting run of T on A^, where rg{x) = q whenever rn^g = {q,(T) 
for some cr G S. □ 

Lemma 16 Let tt be a solution to planning problem {D,g). Then the execution tree of tt 
is accepted by automaton A^ g . 

Proof. Let T be the execution tree of vr. By Lemma 14 we know that T is accepted by A^. 
Moreover, by definition of solution of a planning problem, we know that T is accepted also 
by A^ . By construction, it is easy to check that if a (Sxy4)-labeled tree T is accepted by 
A^ and by A^, then it is also accepted by A^ g. Indeed, let rj) : r ^ S be an accepting 
run of T on A^ and let : r — t- Q be an accepting run of T on A^ . Then r^^g : t ^ Q xT, 
is an accepting run of T on A^ g, where rD,g{x) = {q, a) if rD{x) = a and rg{x) = q. □ 
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As a consequence, checking whether goal g can be satisfied on domain D is reduced to 
the problem of checking whether automaton ^ is nonempty. 

Theorem 17 Let D he a planning domain and g be an AE-LTL formula. A plan exists for 
goal g on domain D if and only if the tree automaton AJ^ ^ is nonempty. 

Proposition 18 The parity tree automaton A^ ^ for domain D = {T,,ao, A, R) and goal 
g = a.(f has |S| • 2^°^''''" states and parity index 2^^^'^^\ 

Proof. This is a consequence of Proposition 13 and of the definition of automaton A^ g. □ 
5.3 Complexity 

We now study the time complexity of the planning algorithm defined in Subsection 5.2. 

Given a planning domain D, the planning problem for AS-UTL goals g = a.ip can 
be decided in a time that is doubly exponential in the size of the formula <^ by applying 
Theorem 1 to the tree automaton A^ g. 

Lemma 19 Let D be a planning domain. The existence of a plan for AS-LTL goal g = a.(p 
on domain D can be decided in time 2^°"*'" . 

Proof. By Theorem 17 the existence of a plan for goal g on domain D is reduced to the 
emptiness problem on parity tree automaton A^ ^. By Proposition 18, the parity tree 

automaton A^ ^ has 2^°*''^'^ x |S| states and parity index 2*^^l'^l-'. Since we assume that 
domain D is fixed, by Theorem 1, the emptiness of automaton A^ ^ can be decided in time 
220(l-l)_ ' □ 

The doubly exponential time bound is tight. Indeed, the realizability problem for an 
LTL formula (p, which is known to be 2EXPTIME-complete (Pnueli & Rosner, 1990), can 
be reduced to a planning problem for the goal A.^p. In a realizability problem one assumes 
that a program and the environment alternate in the control of the evolution of the system. 
More precisely, in an execution o"o,(Ti, . . . the states fjj arc decided by the program if i is 
even, and by the environment if i is odd. We say that a given formula (p is realizable if 
there is some program such that all its executions satisfy ip independently on the actions of 
the environment. 

Theorem 20 Let D he a planning domain. The problem of deciding the existence of a plan 
for AE-LTL goal g = a.(p on domain D is 2EXPTLME-complete. 

Proof. The realizability of formula tp can be reduced to the problem of checking the exis- 
tence of a plan for goslA.p> on planning domain D = [{init} U (S x {p., e}), init., S U {e}, i?) , 
with: 

R{init, a') = {(a', e)} R{init, e) = 

R{{a,p),a') = {{a' ,e)] R{{a,p),e) = $ 

R{{a,e),a') = R{{a,e),e) = {{a',p) : a' G S} 
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for all £7, a' G S. 

States {cr,p) are those where the program controls the evolution through actions a' € S. 
States {a, e) are those where the environment controls the evolution; only the nondetermin- 
istic action e can be performed in this state. Finally, state init is used to assign the initial 
move to the program. 

Since the realizability problem is 2EXPTIME-complctc in the size of the LTL formula 
(Pnueli &: Rosner, 1990), the planning problem is 2EXPTIME-hard in the size of the goal 
g = a.ip. The 2EXPTIME-completeness follows from Lemma 19. □ 

We remark that, in the case of goals of the form £.(p, an algorithm with a better 
complexity can be defined. In this case, a plan exists for S.(p if and only if there is an 
infinite sequence ctq, cti, ... of states that satisfies ip and such that cTj+i G R{ai, ai) for some 
action a,. That is, the planning problem can be reduced to a model checking problem 
for LTL formula ip, and this problem is known to be PSPACE-complete (Sistla & Clarke, 
1985). Wc conjecture that, for all the canonical path quantifiers a except the doubly 
exponential bound of Theorem 20 is tight. 

Some remarks are in order on the complexity of the satisfiability and validity problems 
for v4£^-LTL goals. These problems are PSPACE-complete. Indeed, the ^£^-LTL formula 
a.ip is satisfiable if and only if the LTL formula tp is satisfiable^, and the latter problem is 
known to be PSPACE-complete (Sistla &: Clarke, 1985). A similar argument holds also for 
validity. 

The complexity of the model checking problem for ,4^^-LTL has been recently addressed 
by Kupferman and Vardi (2006). Kupferman and Vardi introduce mCTL*, a variant of 
CTL*, where path quantifiers have a "memoryful" interpretation. They show that memo- 
ryful quantification can express (with linear cost) the semantics of path quantifiers in our 
^5-LTL. For example, the .4f-LTL formula .4£^.<^ is expressed in mCTL* by the formula 
AGE(y9. Kupferman and Vardi show that the model checking problem for the new logic is 
EXPSPACE-complete, and that this result holds also for the subset of mCTL* that corre- 
sponds to formulas AE.ip. Therefore, the model checking problem for ^f-LTL with finite 
path quantifiers is also EXPSPACE-complete. To the best of our knowledge the complexity 
of model checking ^5- LTL formulas .(p and (£A)'^.<^ is still an open problem. 

6. Two Specific Cases: Reachability and Maintainability Goals 

In this section we consider two basic classes of goals that are particularly relevant in the 
field of planning. 

6.1 Reachability Goals 

The first class of goals are the reachability goals corresponding to the LTL formula Fg, 
where q is a propositional formula. Most of the literature in planning concentrates on this 
class of goals, and there are several works that address the problem of defining plans of 
different strength for this kind of goals (see, e.g., Cimatti et al., 2003 and their citations). 

6. If a tree satisfies a.ip then some of its paths satisfy if, and a path that satisfies <^ can be seen also as a 
tree that satisfies a.i/9. 
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In the context of AS-UTh, as soon as player E takes control, it can immediately achieve 
the reachability goal if possible at all. The fact that the control is given back to player A 
after the goal has been achieved is irrelevant. Therefore, the only significant path quantifiers 
for reachability goals are^, £, and AS. 

Proposition 21 Let q be a propositional formula on atomic propositions Prop. Then, the 
following results hold for every labelled tree T. T \= £.¥ q iff T \= £A.¥ q iff T \= £A£.Fq 
ifjT ^{£AY.¥q. Moreover T ^A£.¥q iff T ^A£A.¥q iff T ^ {A£Y .F q. 

Proof. We prove that T ^A£. F g iff T ^A£A. F g iff T |= {A£Y . F q. The other cases are 
similar. 

Let us assume that T \= A£. F q. Moreover, let p be a finite path of T. We know that p 
can be extended to an infinite path p' such that T{p') \=F q. According to the semantics of 
LTL, T{p') \= F q means that there is some node x in path p' such that q € T{x). Clearly, 
all infinite paths of T that contain node x also satisfy the LTL formula F q. Therefore, 
there is a finite extension p" of p such that all the infinite extensions of p" satisfy the LTL 
formula F q: it is sufficient to take as p" an finite extension of p that contains node x. Since 
this property holds for every finite path p, we conclude that T ^^£14. F q. 
We have proven that T \= A£.F q implies T |= A£A.Fq. By Theorem 9 we know that 
A£A {A£)'^ -^M, and hence T \=A£A.Fq implies T [= {A£)'^.Fq implies T \=M.Fq. 
This concludes the proof. □ 

The following diagram shows the implications among the significant path quantifiers for 
reachability goals: 

A—^A£—^£ (3) 

We remark that the three goals ^.Fg, £.Fq, and A£.F q correspond, respectively, to the 
strong, weak, and strong cyclic planning problems of Cimatti et al. (2003) . 

6.2 Maintainability Goals 

We now consider another particular case, namely the maintainability goals G q, where q is 
a propositional formula. Maintainability goals have properties that are complementary to 

the properties of reachability goals. In this case, as soon as player A takes control, it can 
violate the maintainability goal if possible at all. The fact that player E can take control 
after player A is hence irrelevant, and the only interesting path quantifiers are A, £, and 
£A. 

Proposition 22 Let q be a propositional formula on atomic propositions Prop. Then, the 
following results hold for every labelled tree T. Then T \= A.Gq iff T \= A£. Gq iff T \= 
ASA. GqiffT\= (M)''. G q. Moreover T \= £A.G q iff T \= SAS. GqiffT\= {SA)"". G q. 

Proof. The proof is similar to the proof of Proposition 21. □ 

The following diagram shows the implications among the significant path quantifiers for 
maintainability goals: 

A ^ SA S 
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The goals ^. Gq, £.G q, and £A. G q correspond to maintainability variants of strong, weak, 
and strong cyclic planning problems. Indeed, they correspond to requiring that condition q is 
maintained for all evolutions despite nondeterminism (A. G q) , that condition q is maintained 
for some of the evolutions (S.Gq), and that it is possible to reach a state where condition 
q is always maintained despite nondeterminism {£A. Gp). 

7. Related Works and Concluding Remarks 

In this paper we have defined AS-LTL, a new temporal logic that extends LTL with the 

possibility of declaring complex path quantifiers that define the different degrees in which an 
LTL formula can be satisfied by a computation tree. We propose to use AS-LTL formulas 
for expressing temporally extended goals in nondeterministic planning domains. We have 
defined a planning algorithm for AS-LTL goals that is based on an automata-theoretic 
framework: the existence of a plan is reduced to checking the emptiness of a suitable parity 
tree automaton. We have studied the time complexity of the planning algorithm, proving 
that it is 2EXPTIME-complete in the length of the -LTL formula. 

In the field of planning, several works use temporal logics for defining goals. Most of 
these approaches (Bacchus & Kabanza, 1998, 2000; Calvanese et al., 2002; Cerrito & Mayer, 
1998; de Giacomo & Vardi, 1999; Kvarnstrom &: Doherty, 2001) use linear temporal logics 
as the goal language, and are not able to express conditions on the degree in which the goal 
should be satisfied with respect to the nondeterminism in the execution. Notable exceptions 
are the works described by Pistore, Bettin, and Traverso (2001), Pistore and Traverso (2001) 
and by Dal Lago et al. (2002). Pistore et al. (2001) and Pistore and Traverso (2001) use CTL 
as goal language, while Dal Lago et al. (2002) define a new branching time logic that allows 
for expressing temporally extended goals that can deal explicitly with failure and recovery 
in goal achievement. In these goal languages, however, path quantifiers are interleaved with 
the temporal operators, and are hence rather different from AS-LTL. 

In the field of temporal logics, the work on alternating temporal logic (ATL) (Alur, 
Henzinger, & Kupferman, 2002) is related to our work. In ATL, the path quantifiers in 
CTL and CTL* are replaced by game quantifiers. Nevertheless, there is no obvious way to 
expressed formulas of the form a.(p, where a is a path quantifier and (p is an LTL formula 
in ATL*, which is the most expressive logic studied by Alur et al. (2002). Our conjecture 
is that our logic and ATL* are of incomparable expressiveness. 

Some comments are in order on the practical impact of the 2EXPTIME complexity of 
the planning algorithm. First of all, in many planning problems we expect to have very 
complex and large domains, but goals that are relatively simple (see, e.g., the experimental 
evaluation performed by Pistore et al. (2001) in the case of planning goals expressed as CTL 
formulas). In these cases, the doubly exponential complexity of the algorithm in the size of 
the formula may not be a bottleneck. For larger -LTL goals, a doubly exponential time 
complexity may not be feasible, but it should be noted that this is worst-case complexity. 
We also note that improved algorithms for plan synthesis is an active research area, including 
the analysis of simpler LTL goals (Alur & La Torre, 2004) and the development of improved 
automata-theoretic algorithms (Kupferman & Vardi, 2005). 

The automata-theoretic framework that we have used in the paper is of wider applicabil- 
ity than AS-LTL goals. An interesting direction for future investigations is the application 
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of the framework to variants of AE-UTIj that allow for nesting of path quantifiers, or for 
goals that combine AS-LTL with propositional or temporal operators. This would allow, 
for instance, to specify goals which compose requirements of different strength. A simple 
example of such goals is {AS. Fp)A {A. G p) , which requires to achieve condition p in a strong 
cyclic way, maintaining condition g in a strong way. The impossibility to define such kind 
of goals is, in our opinion, the strongest limitation of ^f-LTL with respect to CTL and 
CTL*. 

Another direction for future investigations is the extension of the approach proposed in 
this paper to the case of planning under partial observability (de Giacomo k, Vardi, 1999), 

where one assumes that the agent executing the plan can observe only part of the state and 
hence its choices on the actions to execute may depend only on that part. 

We also plan to explore implementation issues and, in particular, the possibility of 
exploiting BDD-based symbolic techniques in a planning algorithm for A£-UTIj goals. In 
some cases, these techniques have shown to be able to deal effectively with domains and 
goals of a significant complexity, despite the exponential worst-case time complexity of the 
problems (Sertoli, Cimatti, Pistore, Roveri, & Traverso, 2001; Pistore et al., 2001). 
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